Hotel v2 - Introduction
This API has been deprecated.
Deprecation Date: 10/14/2022
Partners and customers using a deprecated API should contact SAP Concur and discuss moving to the latest versions.
Learn more in the API Lifecycle & Deprecation Policy.
The Hotel Services v2 Direct Connect provides a method for Travel users to access hotel inventory.
The Hotel Service 2.0 API from SAP Concur is a specification based on OTA 2015 standard for Hotel Suppliers. Please refer to XSD schema of the service and WSDL service description. This Guide provides information how the Hotel Supplier can make their content available for Concur Travel users using Hotel Service 2.0 API. Once the Hotel Supplier has developed and certified their interface with SAP Concur, their inventory will begin appearing in hotel searches by opted-in Travel users. This API has client/server architecture, where SAP Concur acts as client, pulling information from the Hotel Supplier, who acts as server, responding to SAP Concur’s requests. This guide specifies the request and response format required by SAP Concur.
This call-out differs from the in-bound SAP Concur web services in the following ways:
- It uses an out-bound message where SAP Concur calls a public facing API end-point provided by the hotel supplier.
- The supplier configures and maintains the public web service interface. This guide specifies the request and response format required by SAP Concur.
Access to this documentation does not provide access to the API.
SAP Concur products are highly configurable, and not all clients will have access to all features.
- Rate Details
- Hotel Description
|Maximum response content-length
Responses that exceed these limits will be dropped and handled as error responses.
|Ideal response time
Achieving lower response times helps get information to the traveler sooner which leads to a better user experience. SAP Concur understands that not every hotel program manages their own inventory and requires relays out to other vendors and the numbers above take that scenario into consideration.
All endpoints carry a timeout of 55 seconds. No endpoints will attempt a retry in the event there is a timeout.
SAP Concur has monitoring in place for each endpoint and will open a ticket with suppliers if a significant degradation or variance of service quality is detected.
NOTE: To prevent no show fees, duplicate bookings and other similar issues, SAP Concur recommends the Hotel Supplier auto-cancel the reservation if a corresponding ReadRQ message is not sent by SAP Concur within 5 minutes after the HotelResRS message was sent to SAP Concur.
SAP Concur is unable to share details regarding maximum connections and/or throttling questions due to their sensitivity in nature.
The Hotel supplier needs to provide emergency technical contact email that will be used for communication in case of blocking technical issues.
To allow SAP Concur performing testing, the Hotel Supplier needs to provide testing URL or specify properties for testing in production URL. SAP Concur needs to be able to perform test bookings with testing credit cards.
PCI DSS Compliance
As sensitive data and payment card details are transferred via API, the Hotel Suppliers need to comply with PCI DSS standard. SAP Concur is compliant with PCI DSS standard and undergoes regular security audits.
SAP Concur requires TLS 1.2 (Transport Layer Security) SSL protocol for file transfers. The Hotel Supplier will provide SAP Concur HTTPS URL of its end-point. Standard HTTPS port 443 should be used.
SAP Concur will receive a single URL from the Hotel Supplier. All requests will go to that URL.
For details of all required HTTP headers refer to Headers
SAP Concur is using date as xs:date XML type “2017-05-01”.
CDATA and HTML code inside of XML nodes and attributes are not allowed. These data will be escaped. The hotel suppliers should not use XML special characters - predefined entities: &, <, >, “, ‘ inside of ID elements like RatePlanID.
All messages to and from the HS2 API follow this structure:
Note: The Header element in a request must contain the Authentication element.
Note: The header in the response does not need the Authentication element.